We resume our analysis of the European data strategy and the main purpose of promoting the development of a “data driven” economy of the union.
In the Alert of July 22nd, 2021, we highlighted the strategic value of “data” and examined the ranking of the 27 countries’ economies in this regard. In this round, we will focus on the nature of this intangible asset and the line of demarcation between personal data – subject to the protection of individual rights and freedoms – and non-personal data, with a view to the exploitation of this valuable asset.
Protection of personal data
The European Data Strategy takes note that the European legislator initially laid the groundwork for this development by enshrining the fundamental right of individuals to the protection of their personal data. The Charter of Fundamental Rights of the European Union recognizes the existence of this autonomous right along with the establishment of an independent national supervisory authority (Art. 8), in addition to – and independent of – the right to respect private life (Art. 7 of the Charter). Article 16 of the Treaty on the Functioning of the Union (“TFEU”) completes the EU normative platform, which in this regard reads: “Everyone has the right to the protection of personal data concerning them” and adds, “(the) compliance with these rules shall be subject to the control of independent authorities.”
Therefore, the Commission’s strategy is to «keep the EU at the forefront of the data-agile economy, while respecting and promoting the fundamental values that are the foundation of European societies» (emphasis added).
Economy and values, however, are not on the same level, as the latter are enshrined in primary norms of EU law (Charter and TFEU) which guide secondary norms (Regulations and Directives) without the latter being able to contradict the former.
Personal Data regulations
The EU personal data protection standard is General Regulation No. 2016/679 (“GDPR”), which replaced Directive 95/46/EC. The GDPR pursues two closely related aims:
- a high level of personal data protection;
- a free movement of personal data within the Union.
Data protection, therefore, not only responds to the protection of the fundamental right enshrined in the Treaties, but is also functional to the free flow of data within the EU, which is essential to the development of the digital economy and of a single European data space.
The data protection scheme is completed by:
- Directive 2016/680 (“Police Directive”) on data protection for processing by competent authorities for anti-crime purposes;
- Regulation 2018/1725 on the protection of personal data for processing by EU institutions;
- Directive 2002/58/EC for Privacy in Electronic Communications (supplemented by 2009/136/EC so-called “ePrivacy”), which is currently being reviewed by the proposed regulation being approved by the EU institutions.
These two latter ePrivacy regulations are in a special law relationship with respect to the general regulation and, therefore, the specific provisions contained therein prevail over those of the GDPR, whereas where no specific provisions are found in them, the requirements of the GDPR continue to apply.
Personal data and non-personal data
The data family consists of “personal data” and “non-personal data.” “Personal data” are those indicated by the GDPR [art. 4, 1)] with a broad definition that includes both the identification data of an individual as well as that information that is likely to identify him or her even indirectly, i.e., by making use of additional information. The definition of “personal data” is functional to the identification of “non-personal data”, as they are those which do not qualify as “personal data”.
The delineation between “personal data” and “non-personal data” assumes particular relevance both for determining the scope of application of the GDPR and further related rules and for the purposes of the European Data Strategy, as the latter pursues the objective of removing barriers to the sharing of non-personal data within the EU as an action to facilitate the development of the Union’s digital economy. Thus, while the free movement of “personal data” within the EU – i.e., the GDPR’s second objective – is conditioned on compliance with data protection requirements aimed at ensuring the rights and freedoms of data subjects, the sharing of “non-personal data” is not subject, in principle, to any “privacy” conditions.